Posted
by
Roblimo
on Thursday March 13, 2014 @12:56PM
from the the-most-interesting-people-are-often-in-the-rebel-groups dept.

RSA holds big-time annual security conferences. The 2014 U.S. edition had 25,000 attendees, Stephen Colbert as the closing keynote speaker, and a major controversy (and some anger) from potential speakers and attendees over RSA's reputed $10 million contract with NSA to make sure the company's encryption software had back doors the secretive agency could use to spy on people and companies that use RSA software. This is part of a story that might be called The Snowden Revelations if it is made into a movie, but right now it's still controversial, and enough of a bombshell in the IT security industry that F-Secure's Mikko Hyppönen decided not to speak at this year's U.S. RSA conference, followed by Bruce Schneier, DEFCON founder Jeff Moss, Princeton professor Ed Felten, and other security luminaries.

And so, TrustyCon -- the Trustworthy Technology Conference -- was born. It was a sellout, with 400 people attending at $50 a head, and another 300 on a waiting list who couldn't get in. Slashdot's Tim Lord managed to get in, and got to speak briefly with several people there, including one of the TrustyCon organizers, Joel Wallenstrom. These were crude interviews, done on a "catch as catch can" basis, and the sound in them is poor. (Google sent a camera crew and shot over seven hours of the conference speakers, which you can watch on YouTube if you want to view TrustyCon presentations in good HD with great sound.). Will there be another TrustyCon next year? According to The Register, "The conference organizers said that, at this point, the plan is to hold another get-together next year, but that a final decision will be made closer to the time."

Jamie:So
what a security conference like RSA does not have, that TrustyCon has
is a focus on trust. For us, it is one of our key tenets of our
company, that we focus on both protecting our customers, making sure
that they feel comfortable and that they trust us, not only with
their data, but also with their tasks.

Tim:____
transparency report ____

Jamie:So
a transparency report typically consists of law enforcement requests.
Some transparency reports also include civil process requests but the
transparency report that CloudFlare issued this morning, our first
initial transparency report ____ to all the law enforcement requests
we received, and we broke it down into things like subpoenas, court
orders, search warrants, and pen register/trap trace orders.

Tim:Why
is that ____

Jamie:I
think it is important for companies to do that because it provides a
layer of obviously transparency but security to their customers, so
that they know what sort of requests are coming in at the company,
and then gives the company an opportunity to say, “These are
the things that we do; these are the things that we don’t do.”
And essentially gives a little more information about the policies
and the consistent application of those policies of the organization.

Tim:____
company like yours, ____ how many requests did you get?

Jamie:The
types of requests we receive, are we receive very similar requests to
telcos, and different service providers—subpoenas, court
orders, things of that nature. But our volumes are very low. For
example, our transparency report which is available at
cloudflare.com/transparency,
shows numbers around for subpoenas that we have received for 2013, 18
subpoenas but in thatcase, we pushed back on 16 of those subpoenas
and they were either rescinded or additional court orders were
pursued by law enforcement. Other numbers that we received are all
under two digits. So we don’t have hundreds of thousands of
requests like you would see at a telco.

Tim:____
talk about that ____ think about ____ how do they react to that?

Jamie:So
from our perspective, it is important to keep things secure and keep
things private, right. Trust, privacy, and security all go together.
They go hand in hand.And so for us,it is something that
we are concerned about, making sure that when we are designing
services and designing products that we are considering privacy by
design, so it is from an engineering perspective and from a policy
perspective, and making sure that we are keeping our customers’
data secure at all times, and whether that means from hackers, or if
that means from law enforcement or from government ____ that want to
____

Tim:It
seems like

Jamie:That’s
one thing that they can do.They can also choose to
aggregate their data or essentially choose not to retain data. There
are situations where it is important to evaluate how much of this
data do we actually need to perform the services and provide the
products that we are providing to our customers. In many cases, a lot
of companies don’t need all the data that they are holding on
to.

Tim:____
telcos as well ____.

Jamie:Right.It
is important to find, especially for us, because we are providing a
security service and an optimization service so we need to be able to
protect our customers from different types of threats, like different
DDoS attacks. So we need to have some information about the traffic
that we receive; however, it is not important for us to keep every
single thing. There is a lot that can still be gleaned through
aggregation. So that’s something that we are very keen on, not
only having strong policy about how we respond to law enforcement,
but also make sure that we have policies around data retention.

Tim:____
keep that information as you need it ____.

Jamie:That’s
correct.

Tim:So
what should companies learn from the fact that we had a wholly
different conference across the street mostly because of sponsors.

Jamie:I
think it is something that companies need to be mindful of because it
is not just about an entity spying on your company, or spying on your
customers; at the end of the day it comes down to brand reputation.
You are going to lose business if you are not in the business of
trust.

Tim:____
we are right across the street from the same convention center where
RSA is at. We are not at RSA, where are we right now?

Joel Wallenstrom: No, we are not at RSA. We are at TrustyCon.
This is the first year we have had this. It is just a complementary
conference to RSA. We put it together to make sure that a few of our
industry experts had a platform for discussing some really important
security issues.

Tim:Now
how does it differ though, because RSA is obviously, many thousands
of people are here for security, ____ and this was in fact, one of
the different ____ talk about that.

Joel Wallenstrom: Well, I think there are several thousand people
for a security conference, so there are thousands of security people
here, but not that many security experts. So what happened is there
were a few people whose voices really needed to be heard, who didn’t
feel comfortable with that other platform just this year, and we
wanted to provide that venue for them to have their voice.

Tim:Now
we are at a movie theater, and with a smaller conference, but it did
sell out quickly.How does ____?

Joel Wallenstrom: It did.Well when we heard a few
people were uncomfortable with the current format, we decided that we
needed to go hunting for a place to give them that platform I talked
about earlier. And this was the place that was available. It seats
400 people, and I think it was just a few days before it sold out and
we had a waiting list of 300.

Tim:And
you didn’t ____ for finding speakers?

Joel Wallenstrom: We didn’t. There were not that many
people who whole scale decided that they couldn’t speak at RSA.
They were easy to find. Because they had made that public. And then
once we created the forum, we had other great industry notables like
Bruce Schneier and Dan Boneh who raised their hands and said, let’s
be part of this.

Tim:Right
now that you a single track conference ____ what are some of the
highlights that are things that people could be here at the
conference, what will be they seeing?

Joel Wallenstrom: A lot of it is heavy math, a lot of it is
cryptography. A lot of it obviously has to deal with some of the
issues that have popped up between in the media at least
between NSA and RSA so it has a lot to do with freedom of speech and
our ability to maintain privacy in our computing lives.

Tim:Now
some people get the idea that being in favor of free speech, or in
favor of encryption is somehow anti corporate ____, or
anti-government, what kind of sponsors do you have ____ do you have
companies that are involved ____.

Joel Wallenstrom: Well it is interesting, we do. You can look
around, we have CloudFlare, Digicert, a number of different companies
that have stepped out and they are formal sponsors. But we have a lot
of people that are behind the scenes that are supporting us as
well. Yeah, it is a little bit of a controversial issue.
But the big guys are all involved in this conversation, and I like to
think that we have their support in one way or another as well.

Tim:Organizing
a conference this quickly is there any challenge in particular that
made it hard?

Joel Wallenstrom: Well, the company I work for isn’t
necessarily an event planning company, so certainly when you try and
put an event together, that can be a challenge, but there is just
such a ground swell, that we had volunteers from I think up to ten
different companies who have jumped in, and helped us. ____.

Tim:So
let me just ask you one more thing.You just told us you
had a big waiting list.What is the future?Do
you think TrustyCon has legs?

Joel Wallenstrom: Well there is a natural inclination to think
that it does. ____ as I said, we have been so focused on executing on
this that the next one hasn’t been planned or announced. But I
mean, stay tuned, I am sure you will hear something soon.

Alex
Gaynor:I am a software engineer with Rackspace, but
moreover I work on Python the open source projects and particularly
cryptography projects, trying to make cryptography more accessible to
developers and I believe deeply in user privacy user security and
trying to ____ those things.

Tim:What
did you hope to gain today? And how do you think it came out?

Alex:I
hope to gain new perspectives on how to give users increased ____
systems and it has been a fantastic conference.

Tim:Contrast
this with the other security conference ____.

Alex:I’ve
never actually been to another security conference.

Tim:This
is your first one you went to ____ what do you think of this ____
conference?

Alex:Yes.
____ I have been super pleased. So much, so many exciting,
interesting people showing their perspectives. It has been
extraordinarily valuable.

Tim:Rackspace
has done a lot of open source projects. So how do you feel about ____
privacy and things like that ____ you are here and you work there,
____.

Alex:Obviously,
I can’t speak officially on behalf of them, but yeah, we place
a lot of emphasis on open source and making the code we run very
accessible to people.

Tim:____.

Alex:How
do you mean?

Tim:Well,
let’s say the hardware ____ hardware is something that
is getting more and more ____ compared to hardware, and software is
getting more complex

Alex:Sure.
So again, I can’t speak officially, but I can say one of the
projects we are involved is called the Barbican which is now, I felt
exposed the hardware security modules reliably to users in cloud
environments as well as provide a more robust secret management
infrastructure.

Even if it was for a "good cause". Let's for a moment even assume that the NSA is an all-holy entity that could never do anything wrong and that we trusted them implicitly, not because our software forces us to but because we genuinely wanted to.

Note the subjunctive.

Even then the security software would be a security hazard. Simply and plainly because there is (at least) one way to access data that is absolutely beyond your control. You cannot even audit the security level of the entity holding the additional key to your data.

If you need to give your non-tech boss a way to understand the severity, that's like having a general key to your office and the safe with all the highly classified and mission critical papers deposited at your local police force. While by itself not a problem (provided you trust your police), they are not required to give you any information concerning the key's storage or whereabouts. You will not be notified how they themselves will keep that key safe, nor do you get any kind of information should that key get stolen. You will not be notified if some potential attacker or burglar, or even a competitor, gets access to that key, legally or illegally.

I went to RSA on my company's dime for about five years, but was always asleep on a plane before Bill Clinton, Tony Blair or whoever else was there said their piece and collected their fee.

Now that I'm more selective about which conferences I attend (I've already "seen the show" at the big ones), hitting alternative conferences like DEFCON (instead of BlackHat), and Thotcon (Chicago) and now TrustyCon will continue to be my focus.

Hate to break it to you but DEFCON is hardly much of an alternative conference anymore -- it's run by the same guy who started and later sold BlackHat. I was there last year. Vibe was very much the after-party for BlackHat -- lots of similar corporate T-shirts in groups, I think most of the attendees were sent there by their employer and many of them sported schwag. I watched a presentation that had a big "HP" logo for Hewlett Packard on the powerpoint. Lots of vendors (albeit smaller and non-corporate

I hope this is the beginning of the end of RSA's conferences. That they can not categorically deny any modification to their encryption routines at the behest of the NSA is proof enough that their products can not be trusted. It's farcical that all these researchers, striving for maximally secure systems, would present their findings at a conference hosted by a company that sold everybody out -- and for little money at that.

I'm assuming this reference to the attendee was missing a letter 'e'. To clarify, this Slashdot staffer is the guy who uses his mystical powers to delay all postings a few days after they've appeared on news.google.com. When people say they don't believe in Time Travel, this guy shows them how to send articles into the future.

Yes, article sounds like an advertisment for some wanna-be-conf.
Disappointing too that Colbert sold out to RSA. So much for Anonymous' folk hero. At the end of the day it's about opportunists trading people's liberties for cold hard cash.